4.1 About Passphrases
Passphrases are an important security component in the implementation of SecureLogin. Passphrases are unique question and answer combinations created to verify and authenticate the identity of a user. In a directory environment, you can create passphrase questions for users. Users can select one of these questions and provide an answer for it. You can also permit users to provide a question of their choice and the answer for it.
Passphrases protect user credentials from unauthorized use. For example, in an Microsoft Active Directory environment, an administrator can reset the users network password and then log in as that user and gain access to the users information..
However, this cannot happen when you are using SecureLogin. If someone other than the actual users tries to reset the network password, SecureLogin triggers the passphrase question. The user must provide the correct answer before successfully logging in. Even an administrator cannot access the user’s single sign-on-enabled applications without knowing the user’s passphrase answer.
When SecureLogin is launched for the first time on a user’s workstation, the Passphrase Setup dialog box is displayed.
NOTE
In a Microsoft Windows Vista or higher environment, when you log in to SecureLogin in an offline mode with an incorrect password, you are prompted to provide the passphrase answer. If an incorrect passphrase answer is specified, you are prompted to retry the authentication.
However, if you again provide a wrong password, instead of seeing a prompt for the passphrase answer, you are prompted to specify the password (that is, instead of the passphrase dialog box, the password dialog box is displayed). Close and relaunch SecureLogin to be prompted for the password first, then prompted for the passphrase answer if the incorrect password is specified
42 NetIQ SecureLogin Administration Guide
SecureLogin using the Novell Client does not support non-password-based NMAS logins if the passphrase options are disabled. This is not supported because SecureLogin either fails to open the local cache or opens the local cache file without any password.
Also, Offline authentication does not work if you do a non-password-based NMAS
authentication with the Passphrase Security System disabled. This is because SecureLogin in offline mode accepts only passphrases for non-password-based NMAS authentication. This scenario occurs only if SecureLogin is installed in Novell Client mode.
Passphrase Authentication
Passphrases are used to authenticate when:
A user is working either remotely or offline in an eDirectory or non-Microsoft Active Directory LDAP environment.
Someone other than the actual user resets the network password.
Benefits of Passphrases
Some of the benefits of using passphrase include:
An individual cannot access a user’s credentials by resetting the network password.
Passphrases can be used in conjunction with SecureLogin Self-Service Password Reset, which enables users to reset their network password after answering the passphrase question.
You can use this functionality to disable access to user credentials if the computer is stolen.
NOTE: You can disable the passphrase security system, but it also removes the features mentioned in the preceding section.
4.2 Creating a Passphrase Question
As an administrator, you can:
Create one or more passphrase questions for users to select.
Enable users to create their own passphrase question and answer.
Set up a combination of both.
To create a passphrase question:
1 Launch the Administrative Management utility (iManager, SLManager, or MMC snap-ins).
2 Click Advanced Setting. The advanced setting options are deployed.
By default, User-defined passphrase questions is selected. Deselect this option if you do not want users to create their own passphrase question and answer.
3 Click New.
4 In the Enter a new passphrase question dialog box, provide your passphrase question.
5 Click OK. The question you provided is displayed in the Corporate passphrase questions field.
This passphrase question is displayed to all users associated with the selected object.
6 Repeat the Steps 3 to Step 5 to create additional passphrases.
Managing Passphrases 43 IMPORTANT: Make sure you click OK after you have created the passphrase question to save the changes and exit the page.
The passphrase answer is specified by the user when he or she sets up the passphrase question and answer. Ideally, passphrase answers must contain a minimum of six characters. However, you can change the policy to suit your security requirement. For more information, see Section 5.2,
“Changing a Passphrase Policy,” on page 45.
We recommend that you do not apply strict policies to passphrase answers as it make them harder to remember. Instead, we recommend you to use a multivalue question, such as What is you driving license number plus Your Mother’s name? and set a passphrase policy based on that.
4.3 Re-setting a Passphrase Answer
If a user forgets the passphrase answer, you must reset the user’s SecureLogin configuration to ensure that the user’s data is secure. This deletes all user-specific information, including usernames and passwords.
For more information on re-setting user data, see Section 2.6, “Deleting or Re-setting User Data,” on page 18.
IMPORTANT: When you set up a user’s passphrase question and answer policies, we recommend that you keep them simple so that the user can easily remember the answer.
4.4 Changing the Passphrase Prompt
You can change the passphrase prompt that users see in the Passphrase Setup dialog box the first time they log in.
1 Launch the Administrative Management utility (iManager, SLManager, or MMC snap-ins).
2 Click Advanced Settings. The Advanced Settings options are displayed.
3 Under Customized Passphrase Prompt, select the Modify the passphrase prompt window text check box. The Custom prompt is now active.
44 NetIQ SecureLogin Administration Guide 4 Specify the new prompt.
5 Click OK to save the changes and close the Administrative Management utility. Log in as a new user to view the customized prompt.
4.5 Changing a Passphrase
Users can change their passphrase answer depending on how you configure SecureLogin.
1 Right-click in the notification area (system tray), then select Advanced > Change Passphrase. The Passphrase dialog box is displayed.
2 Specify the passphrase answer in the field.
3 Click OK. The Passphrase Setup dialog box is displayed.
4 In the Enter a question field, select or specify a passphrase question.
5 In the Enter the answer field, specify the new passphrase answer.
6 In the Confirm the answer field, retype the new passphrase answer.
7 Click OK.
NOTE: Users who do not have access to the SecureLogin icon cannot change their passphrases. You can temporarily enable access to the icon to allow the user to change the passphrase with the Display the system tray icon preference setting.
5
Managing Passphrase Policies 45
5